On the factual side, plaintiffs were not able to develop any evidence that (1) Embarq obtained or utilized any of the data extracted by NebuAd, or (2) the flow of data through Embarq’s system differed in any way from how data typically flowed through Embarq’s system (the big exception being that the data was routed in a way that allowed NebuAd to extract data regarding plaintiffs).

Canvassing the ECPA’s legislative history and context, and the fact that there’s no general federal statutory liability for aiding and abetting (absent a clear Congressional directive), the court says that Embarq cannot be held liable for any alleged ECPA violations of NebuAd. Thus, the court looks to see if Embarq violated the ECPA directly.

With respect to whether Embarq itself “intercepted” plaintiffs’ communications, the court notes the clunky application of the term “intercept” to the facts. “Interception” is defined as the “acquisition” of a communication’s “contents,” but the line between “access” and “acquisition” is murky at best. The court instead relies on the portion of the definition of “device” that excludes any equipment “used by a provider of wire or electronic communication services in the ordinary course of its business.” Noting there was no dispute that Embarq only acquired the same access to the data that it had as an IAP, the court concludes that Embarq falls under this exception and can’t be held liable for intercepting plaintiffs’ communications.

__

Ouch. There were some mildly favorable facts to Embarq (the fact that it was paid an absurdly small amount of money for participating in the DPI test), but I still find the emphatic defense win somewhat remarkable. Privacy plaintiffs just cannot seem to catch a break.

The lack of a derivative liability concept under the ECPA is significant, and a majority of courts have said there is no derivative liability under either the ECPA or the Computer Fraud and Abuse Act. (See also Valentine v. WideOpen West Finance (another NebuAd case) and the somewhat factually bizarre CAIR v. Gaubatz which recently came to the same conclusion on the ECPA issue; the CAIR case fell through the cracks of the blogging queue.)

Interestingly, in Valentine, the district court granted summary judgment on the basis that plaintiffs failed to adequately allege any interception but left things open as to whether plaintiffs could state a claim for “disclosure” or “use” of communications under 2511. The court directed the parties to file additional briefs on this issue.